Ask Question
« General Questions on Nuxeo

Encrypt Nuxeo password in database

We are using Nuxeo 5.6-RC2. We are connecting via oracle template. We have also customized nuxeo to use our customized pre-made users instead default nuxeo users.

Now, username and password Administrator and Administrator are placed in MY_CUSTOMIZED_USERS table, and obviously they are not encrypted. In production environment, users have access to database and they can see Administrator password.

Is there anyway we can customize Nuxeo to have our login passwords in database encrypted?

SMAH Haider
Member (754)   2   4   2 		08/27/2012 ( History)
0 votes
2 answers
3708 views
ANSWER
ANSWERS

Only the initial Administrator password, that is the word “Administrator”, is not encrypted as the assumption was made that it needs to be reset anyway to make it secure. The moment you change the Administrator password, it does get encrypted.

Please make a test and change your Administrator password and then query the users table to see if that indeed is the case.

Wojciech Sulejman
Member (3K)   3   5   4 		08/27/2012 ( History)
1 votes
SMAH Haider
Thanks Wojciech I changed the password and as you said it got encrypted in database. But as we have made our custom users by making our own user directory.

Thats the xml of our contribution:

<extension target="org.nuxeo.ecm.directory.sql.SQLDirectoryFactory"
    point="directories">

   <directory name="RecmUserDirectory">
    <schema>user</schema>
    <idField>username</idField>
    <passwordField>password</passwordField>
    <passwordHashAlgorithm>SSHA</passwordHashAlgorithm>
    <autoincrementIdField>false</autoincrementIdField>
    <dataSource>java:/nxsqldirectory</dataSource>
    <table>recm_users</table>
    <dataFile>data/users.csv</dataFile>
    <createTablePolicy>never</createTablePolicy>
    <querySizeLimit>15</querySizeLimit>
     <nativeCase>true</nativeCase>
    <references>
      <inverseReference field="groups" directory="groupDirectory"
        dualReferenceField="members" />
    </references>
  </directory>

user.csv contains our user's username and password but they are not encrypted.

The point is that <passwordHashAlgorithm>SSHA</passwordHashAlgorithm> says that password needs to be SSHA encrypted but in database it is initially un-encrypted, unless we change it.

Is there anyway that our initial passwords are stored in database as encrypted?

08/28/2012

If <passwordHashAlgorithm>SSHA</passwordHashAlgorithm> is in the config then Nuxeo will encrypt any password it writes, but will still be able to read unencrypted ones.

If you populate the password database using an external system, then you'll have to do the encryption yourself. You can see how SSHA is implemented by reading the code at https://github.com/nuxeo/nuxeo-services/blob/master/nuxeo-platform-directory/nuxeo-platform-directory-sql/src/main/java/org/nuxeo/ecm/directory/sql/PasswordHelper.java

Florent Guillaume
Member (36K)   6   8   8 		08/30/2012 ( History)
2 votes
SMAH Haider
Perfect. Thanks Florent.
09/25/2012
Follow
Tags
Linked Questions
Related Questions
How to configure PostgreSQL connectivity over SSL?
Error if you change nuxeodm database password during initial configuration
Locations of all the embedded passwords in Nuxeo
How to cancel a work (Schecduled or running )
Binary Encryption Issue
Would LDAP groups show up empty in Nuxeo's Users and Group section?
new vocabulary based on external database ?
Performance Issue when working with Nuxeo Custom Database Schema
How to force existing Blobs to be encrypted when turning on AESBinaryManager in an existing repository?